New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 6 vulnerabilities #54

Open

137717unity wants to merge 1 commit into master from snyk-fix-ccbe36a85d0e78d2daf8f739f892b8d8

Owner

137717unity commented Oct 9, 2022

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- tests/screenshots/package.json
- tests/screenshots/package-lock.json
- tests/screenshots/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JS-JPEGJS-2859218	No	Proof of Concept
	509/1000 Why? Has a fix available, CVSS 5.9	Denial of Service (DoS) SNYK-JS-JPEGJS-570039	No	No Known Exploit
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Prototype Pollution SNYK-JS-MINIMIST-2429795	No	Proof of Concept
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-MINIMIST-559764	No	Proof of Concept
	869/1000 Why? Mature exploit, Has a fix available, CVSS 8.8	Use After Free SNYK-JS-PUPPETEER-174321	No	Mature

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: mkdirp

The new version differs by 4 commits.

b2e7ba0 0.5.2
c5b97d1 bump minimist to 1.2 to fix security issue
f2003bb test: add v4 and v5 to travis
b8629ff tools: update tap + mock-fs. Fix broken test

See the full diff

Package name: puppeteer

The new version differs by 250 commits.

77a9694 chore: mark version v1.13.0 (Infobase running on ol-home internetarchive/openlibrary#4114)
ba5f94d test: disable flaky cookies test (Make covers service configurable like web internetarchive/openlibrary#4112)
02b2451 fix: check if async error has a stack (Docker Deployment Strategy for ol-web[1,2] internetarchive/openlibrary#4017)
9db09fe test: add test to validate redirecting in request.respond (Revert unintentional commit internetarchive/openlibrary#4106)
c68df32 test: add failing test for bad request interception (Fix YAML load warnings internetarchive/openlibrary#4108)
02859c3 feat(chromium): roll Chromium to r637110 (Croatian (hr) translation internetarchive/openlibrary#4099)
bc28f3b fix(firefox): fix executablePath() on OSX (Make solr's docker up command more like web's internetarchive/openlibrary#4105)
c9f6a3d chore(firefox): bump version to v0.5.0 (The backend doesn't prevent logged in users from reverting anyone's changes internetarchive/openlibrary#4089)
a6d8ecc fix(firefox): keyboard tests (Help us improve our WAVE accessibility score internetarchive/openlibrary#4082)
e8a4963 test: cleanup tests (No quotes on $SERVICE in scripts/run_olserver.sh internetarchive/openlibrary#4078)
dae998e fix(firefox): enable domains in a proper order (height bug fixed internetarchive/openlibrary#4077)
9ef23b1 feat(firefox): implement cookies api (Fix errors were encountered when parsing FUNDING.yml internetarchive/openlibrary#4076)
03d06f5 feat(firefox): page.accessibility.snapshot() (Librarian Merge Queue: Propose/Flag Dupes internetarchive/openlibrary#4071)
f21486f feat(firefox): implement Page.touchscreen (Intellectual freedom. Terms of service. Privacy policy internetarchive/openlibrary#4070)
3541b89 test: split out all chromium-specific tests into chromiumonly.spec.js (Borrowing HMAC error on Python 3 internetarchive/openlibrary#4068)
77a4ea5 test: split out fixture tests and make them work with FF (New hmac issues on Python 3 internetarchive/openlibrary#4067)
d04a8d5 refactor(firefox): split out DOMWorld (3720/bug/manage solr logs internetarchive/openlibrary#4066)
4ecbd91 refactor(firefox): migrate onto ExecutionContext events (Add scripts/setup_covers1.sh internetarchive/openlibrary#4064)
56dafd7 feat: support Response.buffer(), Response.json() and Response.text() (Remove grayscale filter from browse by subject images internetarchive/openlibrary#4063)
3bea5d6 feat(firefox): implement browserContext.overridePermissions (Migrate ol-home to ol-home0 internetarchive/openlibrary#4060)
f1a14fe feat(firefox): support elementHandle.uploadFile (Create ol-home0 node internetarchive/openlibrary#4058)
1315dc8 feat(firefox): support Page.emualteMedia (Docker: Set reasonable defaults for hostname and pyenv_version internetarchive/openlibrary#4056)
5c81836 feat(firefox): implement page.exposeFunction (Python 3: list index out of range -- Fix IndexError in templates/type/edition/view.html internetarchive/openlibrary#4052)
7d39aca test: split out test for "text" option of ElementHandle.press (Orphaned editions throw IndexError internetarchive/openlibrary#4051)

See the full diff

Package name: reg-cli

The new version differs by 215 commits.

d9f86f5 0.16.3
9230f72 Merge pull request Publisher pages not updating with book covers internetarchive/openlibrary#345 from jusio/master
4a458a1 fix: files deleted from /actual are not deleted from /expected
b6239c7 Merge pull request Some books shown in admin as checked out to "Unknown" internetarchive/openlibrary#338 from reg-viz/renovate/mustache-4.x
2e54824 Merge pull request Correct Read links in Search Inside results when multiple files or filename-vs.-id disparity internetarchive/openlibrary#339 from reg-viz/renovate/dot-prop-6.x
2eff50b Merge pull request Can't undo some author merges (i.e. semi-broken admin feature) internetarchive/openlibrary#340 from reg-viz/renovate/serialize-javascript-5.x
8da1592 chore(deps): update dependency dot-prop to v6
52f4ac8 Merge pull request Add "Search inside" link above global search form internetarchive/openlibrary#327 from reg-viz/renovate/major-hapijs-monorepo
84e3325 chore(deps): update dependency serialize-javascript to v5
b8dd782 Merge pull request Search results contain broken e-book links internetarchive/openlibrary#334 from reg-viz/renovate/chalk-4.x
64da996 Merge pull request Removing an Edition still shows a "ghost" item on the Work page internetarchive/openlibrary#335 from reg-viz/renovate/del-6.x
9bfcd3a Merge pull request Book Formats shown as "Absent" on item Admin page internetarchive/openlibrary#341 from reg-viz/renovate/reg-suit-monorepo
b7d0591 chore(deps): update reg-suit monorepo to v0.10.8
885336e fix(deps): update dependency del to v6
12c3c9f fix(deps): update dependency chalk to v4
3981487 Merge pull request Stop ol-solr-updater from spinning internetarchive/openlibrary#281 from reg-viz/renovate/bluebird-3.x
b1fd2db Merge pull request DOCUMENTATION: Add local reCAPTCHA dev instructions internetarchive/openlibrary#288 from reg-viz/renovate/glob-7.x
00ae783 Merge pull request Add/remove from waiting list- the form doesn't submit internetarchive/openlibrary#308 from reg-viz/renovate/deep-extend-0.x
f7f117f chore(deps): update dependency hoek to v6
5f48a81 Merge pull request Convert broken ia:XXXXX records to real OL records internetarchive/openlibrary#321 from reg-viz/renovate/make-dir-3.x
c76f378 Merge pull request Address CORS issues with Open Library API endpoints internetarchive/openlibrary#329 from reg-viz/update-deps
19f0e4b fix(deps): update dependency mustache to v4
4224a75 fix(deps): update dependency make-dir to v3.1.0
fe06437 Merge pull request Add "Search inside" link to global search form internetarchive/openlibrary#326 from reg-viz/renovate/flow-typed-3.x

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn


          fix: tests/screenshots/package.json, tests/screenshots/package-lock.j…

a98ee2c

…son & tests/screenshots/.snyk to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JPEGJS-2859218
- https://snyk.io/vuln/SNYK-JS-JPEGJS-570039
- https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795
- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
- https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment